Wireshark Lua dissector utf16 string

0
votes

I am writing a custom Wireshark Lua dissector. One field in the dissector is a UTF16 string. I tried to specify this field with

msg_f = ProtoField.string("mydissector.msg", "msg", base.UNICODE)
local getMsg = buffer(13) -- starting on byte 13
subtree:add_le(m.msg_f, getMsg)

However, this only adds the first character rather than the whole string. It also raises an Expert Info warning undecoded trailing/stray characters.

What is the correct way to parse a UTF16 string?

2
luautf-16wireshark-dissector

2 Answers

0
votes

You haven't specified the range of bytes that comprises the string. This is typically determined by either an explicit length field or by a NULL-terminator. The exact method of determining the range is dependent upon the particular protocol and field in question.

An example of each type:

  • If there's a length field, say of 1 byte in length that precedes the string, then you can use something like:
    local str_len = buffer(13, 1):le_uint()

    subtree:add_le(m.msg_len_f, buffer(13))
    if str_len > 0 then
        subtree:add_le(m.msg_f, buffer(14, str_len))
    end
  • And if the string is NULL-terminated, you can use something like:
    local str = buffer(13):stringz()
    local str_len = str:len()
    subtree:add_le(m.msg_f, buffer(13, str_len + 1))

These are just pseudo-examples, so you'll need to apply whatever method, possibly none of these, to fit your data.

Refer to the Wireshark's Lua API Reference Manual for more details, or to the Wireshark LuaAPI wiki pages.

0
votes

The solution I came up with is simply:

msg_f = ProtoField.string("mydissector.msg", "msg")
local getMsg = buffer(13) -- starting on byte 13
local msg = getMsg:le_ustring()
subtree:add(msg_f,  getMsg, msg)